Document

Client Principal in the
wild
Or, how we learnt to love the client principal …
Julian Lyndon-Smith, whoGloo
help --> about
• Julian Lyndon-Smith
• co-founder of several startups, including dot.r and whoGloo
• progress v3
• *not* a dba guy
• know enough to keep things running
• so may get some db stuff wrong. throw your rotten tomatoes ;)
• know enough about security to make me paranoid
• you should be too
agenda
• A little history of openedge security
• setuserid
• First looks at the client principal
• Getting deeper
• The client principal in the wild
• aka real code
• Tips and tricks
• questions
disclaimer
• This talk includes information about real-world products and
applications
• What I am about to say reflects our current thinking, but the
information contained herein is probably heretical, wrong, may
annoy progress, and is definitely subject to change
• Any future talks on this subject may be materially different from
what is described here
• I may offend “users” ..
V11 ?
• 11.x introduced new features for the client principal
•
•
•
•
Initialize method
Progress.Security.PAMStatus
Get-db-client
Db-list method
• 11.1 introduced callbacks
• This presentation concentrates on the v11 features, as v10
• Is not as secure
• No callbacks
• Does not have the same level of helper methods etc
Why do we need user authentication ?
Why do we need user authentication ?
• Sarbanes-Oxley (SOX)
• http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
• Customer requirements
• Application requirements
• N-tier applications
• Appserver / webspeed
• Auditing
• Who did what / where / when
authentication is not authorisation
• Authentication is who the user is
• Authorisation is what the authorised user can do
• Often called “roles”
• You should always, however, be tracking changes to critical data
• Use the auditing systems built into OpenEdge
• Beyond the scope of this presentation
• documentation.progress.com/output/OpenEdge113/pdfs/gscsv/gscsv.pdf
A short history : setuserid
• We’ve always used setuserid()
• Present in all versions of progress since at least v3
• Not old enough to remember that far back
• Simple premise
•
•
•
•
Setuserid(“user”,”password” [,”database”])
Authenticates a user for the specified database
Tries to match a user account in the _User table of the database
Returns true or false
Setuserid : problems
• Maintenance of the _user table is painful
• Only the logged in user can change password
• Which leads to problems if the user forgets their password ;)
• Only solution is to delete the _user, and recreate
• Have to setuserid for each connected database
• It does not generate any audit events, such as for login and logout
Setuserid : problems #2
• The password encoding algorithm does not meet any industry
standards such as PCI/DSS
• “cracking” programs exist to reveal password
• Not easy to use external authentication systems
• Ldap etc
• Can’t “logout” or invalidate the authentication session
Enter client principal
• First introduced with 10.0
• Much improved since
• 11.3 version is very useful ;)
• Represents a user login session
• Share a session between appservers and agents
• Sets user id
• For the ABL application
• For the database connection
Enter client principal
•
•
•
•
•
Audit logs record login and logout of the user
Internal authentication schemes
External authentication schemes
Session data can be stored as raw value
Once “sealed” data cannot be changed
Using client principal
• Several things need to be set up in order to use the client
principal
• Authentication systems
• Domains
• Database options
Authentication systems
domains
Domain options
System type
This is the authentication
system
Audit context
This value is stored in the
_event-context field of any
auditing record
Access code
case-sensitive key used to
seal the client-principal. A
domain with the same name
and access code must exist
in the db for a sealed CP to
be validated
Database options
Override database domain
registry, trust the
application registry
Apply CAN-READ / CANWRITE permissions and
runtime, not compile time
gotchas
• Can only access primary-passphrase from within a callback
• Domain access codes are hard to keep secret in code
• very very very very bad practice ;)
• Memory leak with security-policy:get-client
• Secure access to any stored client principal records
• Long-lived CP
gotchas
• <context>Authentication System library open failure (16357)
• The <context> operation could not find/load the external shared library
containing an Authentication System plug-in module" " “
• Aka I can’t find the auth program you specified …
• Try to avoid setuserid() in your code after using client-principal
• Overwrites *and locks out* set-db-client()
• Fix this by using set-db-client(?)
Best practices for password ? (user)
• Enforce password changes on a regular basis
• NO!
• Add time delays between sign-in attempts
• 5s or so
• Consider allowing sentences as passwords
•
•
•
•
My little pony
Bacon, lettuce and tomato
Another day, another password
Easily cracked ;)
Best practices for password ? (user)
It is 10 times more secure to use "this is fun" as your password, than "J4fS<2".
http://www.baekdal.com/insights/password-security-usability
Best practices for password ? (user)
• http://arstechnica.com/security/2012/08/passwords-under-assault/
• http://tinyurl.com/nxpaxp5 (How the bible and youtube are cracking your passwords)
“Of the 4,400 unique words or phrases they mined from the Twitter searches,
1,976 of them were all or part of actual passwords used by MilitarySingles users”
Dustin's computer can perform 30 billion guesses per second against standard Windows hashes.
The $800 system uses four AMD Sapphire Radeon 7950 cards.
Best practices for password ? (user)
Best practices for password (system)
• Never, ever, ever store passwords in plain text. Ever!
• http://plaintextoffenders.com/archive
• http://mashable.com/2014/01/16/starbucks-mobile-passwords-plaintext/
• Never, ever, ever, store passwords with reversible encryption
• Always hash the password before storing.
• Each user should have a different salt for the hash
• Always try to use https on web / appserver connections
• So what if the NSA can see it ? ;)
• Ensure you have a low-level user with no permissions
• Change userid when your user logs out (appserver etc)
Let’s do this
• Let’s create a new authentication system
•
•
•
•
Create new domain
Create new authentication system
Create callback procedure to validate credentials
Create a session storage mechanism
• Validate with user code & password
• Store a sealed client principal
• Retrieve stored client principal
• authenticate
Questions ?
• Thank you for your time